Cisco Cisco 2504 Wireless Controller Referencia técnica
5
D r a f t L a b e l — C i s c o C o n f i d e n t i a l
Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0
Phase 1—Client IPv6 Support in WLC Release 7.2 to 7.6
Support for Interface Groups
The interface groups feature allows an organization to have a single WLAN with multiple VLANs configured on the
controller to permit load balancing of wireless clients across these VLANs. This feature is commonly used to keep IPv4
subnet sizes small while enabling a WLAN to scale to thousands of users across multiple VLANs in the group. To support
IPv6 clients with interface groups, no additional configuration is required as the system automatically sends the correct
router advertisement to the correct clients via L2 wireless unicast. By unicasting the router advertisement, clients on the
same WLAN, but a different VLAN, do not receive the incorrect RA.
controller to permit load balancing of wireless clients across these VLANs. This feature is commonly used to keep IPv4
subnet sizes small while enabling a WLAN to scale to thousands of users across multiple VLANs in the group. To support
IPv6 clients with interface groups, no additional configuration is required as the system automatically sends the correct
router advertisement to the correct clients via L2 wireless unicast. By unicasting the router advertisement, clients on the
same WLAN, but a different VLAN, do not receive the incorrect RA.
Note: It is not recommended to mix IPv4 and IPv6 dual stack clients in the same Interface Group.
First Hop Security for IPv6 Clients
Router Advertisement Guard
The RA Guard feature increases the security of the IPv6 network by dropping router advertisements coming from wireless
clients. Without this feature, misconfigured or malicious IPv6 clients could announce themselves as a router for the
network, often with a high priority, which could take precedence over legitimate IPv6 routers.
clients. Without this feature, misconfigured or malicious IPv6 clients could announce themselves as a router for the
network, often with a high priority, which could take precedence over legitimate IPv6 routers.
By default, RA guard is enabled at the AP (but can be disabled) and is always enabled on the controller. Dropping RAs
at the AP is preferred as it is a more scalable solution and provides enhanced per-client RA drop counters. In all cases,
the IPv6 RA is dropped at some point, protecting other wireless clients and upstream wired network from malicious or
misconfigured IPv6 clients.
at the AP is preferred as it is a more scalable solution and provides enhanced per-client RA drop counters. In all cases,
the IPv6 RA is dropped at some point, protecting other wireless clients and upstream wired network from malicious or
misconfigured IPv6 clients.
353116
VLAN 100
RA From
VLAN 100
RA
VLAN = 100
RA
VLAN = 200
VLAN 200
Interface
Group
RA From
VLAN 200
CAPWAP Tunnel
Router 1
Router 2
CAPWAP
353117
CAPWAP
CAPWAP
CAPWAP
Tunnel
IPv6
802.11
IPv6
IPv6 RA
802.11
Ethernet
VLAN